Assume the following scenario. Your current domain controller is running on a Windows 2012 server at your local on-premises data center, and you want to migrate your domain controller with flexible single master operation (FSMO) roles to Windows server 2016 active directory. Well, in this blog, we will show you how to do exactly that, walking you through the steps to accomplish all of this. In reality these steps can be applied for migrating Windows 2012, 2008, 2008 R2 Servers.

Using a domain controller with FSMO has its advantages. Flexible single master operation (FSMO) is a multi-master model that assigns clear roles and responsibilities to every domain controller while at the same time also giving you the flexibility to transfer roles if needed.

Flexible single master operation (FSMO) can be divided broadly into five roles, which are:

Schema master

Domain naming master

RID master

PDC emulator

Infrastructure master

Another advantage of FSMO is that it mitigates the following issue: Migrating Root and Child domain controllers directly with an OS-level snapshot may cause errors in the domain controller, so it's always better to go for AD Sync and FSMO roles transfer.

Pre-Requisites

Before you can precede to migrate your domain controller, you will need the following:

Next, you can run the Get-ADDomain |fl Name, DomainMode command on your ECS instance to retrieve the current domain functional level. After running this command, you'll see the on-premises DC mentioned as output.

Now we need to install the active directory role on the Alibaba Cloud ECS instance. This is how you do it:

Open Server Manager > Click on Add roles and features > On the wizard Click Next > Select Role-Based or feature-based installation and Click Next > Click Next >

Under Roles check Active Directory Domain Services.

Next, on the next Features tab, click Next, and on the AD DS description page, click Next, and on confirmation page, click Next. After that, wait for the installation to complete. Once it is done, this window will appear.

Click on Promote this Server to a domain Controller. You will be prompted with Active Directory Domain Services Configuration window,

On the next screen, provide a DSRM password, keep the rest as it is and click Next. Then, on DNS Options page, click Next. On the next window, select the source replication by choosing Select your On-premises DC.

Continue to click Next until you reach the Pre-requisites tab, and then click Install. Once the installation is completed, the server will automatically restart.

Now you can see all your users are now available on your new Active Directory on Cloud ECS instance, so check for our FSMO roles by running the netdom query fsmo command:

From the above output, you can see the FSMO roles are still owned by on-premises DC. To change this, run the below command:

GEt-CimInstance Win32_OperatingSystem | Fl Csname

Note that you need to replace Csname to your own Csname.

Now your Alibaba ECS instance is ready. Let's transfer the FSMO Roles. Right now for Root domain controller, we have five FSMO roles as schema master and domain naming master roles, are only assigned once in the forest, so we'll not have those while moving child domain controller.

Now, run the following command on your on-premises data center. In the following command, replace Your_DC_CSName with Cloud Instance CSName)

Change the command to fit your situation. Again, for the example above, Cloud DC is running on Server 2016 and domain is alibabapoc.com. Whereas, for instance, Set-ADForestMode -Identity alibabapoc.com -ForestMode Windows2016Forest means that your DC is up and running on Alibaba Cloud.

You can repeat the same steps to migrate your child domain controller just 2 FSMO roles will not be there (Schema master and Domain naming master).